Security log question

James A. Coulter jacoulter at jacoulter.net
Sat Aug 14 19:03:28 PDT 2004 

On Sat, Aug 14, 2004 at 04:39:58PM +0200, Alex de Kruijff wrote:
> On Wed, Aug 11, 2004 at 07:46:47PM -0500, James A. Coulter wrote:
> > This message has  been showing up in /var/log/security:
> > 
> > 	Aug  6 01:56:44 sara /kernel: drop session, too many entries
> > 	Aug  6 16:40:05 sara /kernel: drop session, too many entries
> > 	Aug  7 13:25:23 sara /kernel: drop session, too many entries
> > 	Aug  7 15:32:00 sara /kernel: drop session, too many entries
> > 	Aug  7 15:32:03 sara last message repeated 3 times
> > 	Aug  8 22:30:53 sara /kernel: drop session, too many entries
> > 	Aug 10 19:47:31 sara /kernel: drop session, too many entries
> > 	Aug 11 11:11:46 sara /kernel: drop session, too many entries
> > 	Aug 11 13:08:15 sara /kernel: drop session, too many entries
> > 	Aug 11 13:10:26 sara last message repeated 12 times
> > 	Aug 11 13:20:34 sara last message repeated 55 times
> > 	Aug 11 13:30:00 sara last message repeated 66 times
> > 	Aug 11 16:49:26 sara /kernel: drop session, too many entries
> > 	Aug 11 16:49:58 sara last message repeated 5 times
> > 	Aug 11 16:52:04 sara last message repeated 20 times
> > 	Aug 11 17:02:01 sara last message repeated 93 times
> > 	Aug 11 17:18:01 sara /kernel: drop session, too many entries
> > 	Aug 11 17:23:03 sara /kernel: drop session, too many entries
> > 
> > I'm running FreeBSD 4.10 with IPFW and NAT as a gateway/router/firewall for a home LAN.  I am the only user (I hope!) with access to this system.
> > 
> > I googled the "drop session" message and found e-mail correspondence indicating this message is a result of having too many telnet or ssh sessions open at the same time and could be an indication of a DOS attack.
> > 
> > I have disabled telnet in inetd.conf.  I am running ftp with anonymous log-in disabled and ssh with root login disabled.  I am also running apache 1.3.
> > 
> > Is this message something I should investigate further, or is it like the script kiddies who scan my ports every night - just something to live with?
> 
> Yes, but I don't think you are likly at risk to have someone bracking in
> on you system. You're server proberbly just handle the traffic nicly.
> You need to investigate further to find out what is causing this and
> what you can do about it.
> 
> P.S. I notices you have very lone lines in you'r mail and use mutt.
> Whould you consider adding the following line to .muttrc (and install
> vim) so that this is automaticly wraped at 72 char?
> 
> set editor="vim +':set tw=72' +':set ww=<,>,h,l,[,]' %s"
> 
> 
> -- 
> Alex

Alex - thanks for the response and for the .muttrc tip.  I added it and hopefully my mail will now wrap at 72 characters.

Jim

More information about the freebsd-questions mailing list